SystemUI As EvilPiP: The Hijacking Attacks on Modern Mobile Devices

Learn how attackers exploit Android's Picture-in-Picture feature to hijack foreground activities and bypass security restrictions, compromising system integrity.

Key takeaways
  • Activity Hijack Attack (HA) is a technique where malware injects malicious content into trusted applications by seizing foreground control

  • Three key requirements for successful HA attacks:

    • Ability to start activity from background
    • Ability to detect runtime state from background
    • Ability to run persistently in background
  • Google implemented several security policies to prevent HA:

    • Runtime state leaking restrictions
    • Background execution limitations
    • Permission Access Level (PAL) restrictions
  • Picture-in-Picture (PiP) vulnerabilities can be exploited to bypass restrictions:

    • Abnormal PiP window sizing can be used to create invisible windows
    • System considers PiP windows as visible even when minimized
    • PiP windows can maintain high priority status
  • Key bypass techniques discovered:

    • Using accessibility services and system services to gain elevated privileges
    • Exploiting account manager bindings
    • Manipulating out-of-memory ADJ scores
    • Creating system window types with higher z-index values
  • Vulnerable applications targeted through:

    • Background service binding
    • Activity launch chain manipulation
    • Window container transition objects
    • Surface control transitions
  • Attack is particularly effective because:

    • Requires no dangerous runtime permissions
    • Can be undetectable to users
    • Works across multiple Android versions
    • Can target sensitive applications like banking apps
  • Multiple CVEs discovered related to PiP and SystemUI vulnerabilities across Android versions 32-34